
Abstract 
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to solve every security problem you have and some you 
didn't even know you had is amazing. 

There are open source security devices (both software 
and hardware), standalone battery powered personal 
security devices, directly host connected devices (USB, 
PCMCIA, PCI, SCSI), wireless security solutions, and a 
plethora of network attached security modules. 

This presentation provides an overview the pros and 
cons of each general type of security device and the 
challenges you will face when integrating them into your 
existing environments. 



Disclaimer 



Any opinions expressed in this presentation 
represent the opinions of the presenter only 



No authc 
other pc 



sat ion, endorsement or approval by any 
y is implied unless explicitly stated. 



The presenter does not speak on behalf of the 
Queensland Government Department of Transport 
and Main Roads or any other part of Queensland 
Government. 





Authentication Options 










Implicit 






Username + Password 






Hardware Token 






One-factor 
Two-factor 






Biometrics 

One-way / Challenge-Response 






Connected / disconnected 






Contact / contactless 
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Authentication Options 




uthentication Form Factors 



srsonal non-connected Token 

srsonal connected portable Token 
(USB, PCMCIA, smartcard) 

on-portable Token (SCSI, PCI) 

etwork attached Hardware Security Modules 




martcards 



emory Cards 

data processor - store 
.imited information 

y be PIN protected or 
not (e.g. Phone card) 

icroprocessor Cards 

^ »ntain processor and 
memory 

reased capability and 
security functions 



lontact Cards 

Must be inserted into a 
.erminal (reader) device 

lontactless Cards 



_ommunicate to terminal 
(reader) via wireless 
protocol 

► Powered 

► Non-powered 




Inside Security Device 



e these devices secure? 
iore vendor claims - making marketing claims are easy 
quire independent verification- FIPSI40, CC 

II devices essentially the same? 
" hat is actually inside 
»n't rely entirely on the device 
Ian for failure of the security controls 

there appropriate include overlapping controls 
n for failure of the overlapping controls 





Inside Security Devices 
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ompanson 



.ndalone tokens 



;itives 



► No end-user software integration as the human is the communication 
device 

► Simple to explain; widely used - familiar concept 

► Mature technology 

► Can be used over the phone - it does not require a computer 

► Doesn't require trusting the users platform 
Negatives 

► Battery runs out so have to regularly re-purchase (expensive) 

► Using the human as the connection to the device limits the amount of 
information that can be transferred 

► Huge variability between vendors in their engineering approach 

► Relying on security vendor to keep the 'secret' actually secret 



Comparison 



iiTrraiuTiBTSl 



itives 



► Simple to explain; widely used - familiar concept 

► Lots of vendor products to choose from 

► Keyboard devices can make-like-the-human and directly enter the 
information 



► Can be high-performance though often are not 
gatives 

► Cannot use without a computer 

► Often will require software installed on the target machine 

► Often just a smartcard 'dressed up' 

► Lots of vendor products to choose from 

► Often not suDDorted in a virtualised environment 



ompanson 



.iartcard - Contact 

sitives 

► Simple to explain; widely used - familiar concept 

► Can potentially load your own code into a "secure environment' 

► Lots of vendor products to choose from 
Slegatives 

► Requires a reader 

► Requires software installed on the target machine 

► Often entangled with a complicated PKI rollout 

► Lots of vendor products to choose from 

► Very low performance 



Comparison 



iMklftg»1ig»Hinyi 



sitives 



omactiess 



► Simple to explain; widely used - familiar concept 

► Lots of vendor products to choose from 

► No issues with wear and tear on contacts 

► Reduced heat or moisture issues 
igatives 

► Requires a wireless reader 

► Often will require software installed on the target machine 

► Often just a simple clone able ID 

► Lots of vendor products to choose from 

► Very low performance 



ompanson 



iones and PDAs 



utives 



► Lots of vendor products to choose from 

► Effectively adding software to an existing device so 'hardware' costs 
are zero making for a cheaper solution to deploy as the user has 
already paid the hardware cost 

k ' igatives 

► Lots of vendor products to choose from 

► Lots of different phone operating systems, devices 

► Requires software installed on the target device 

► It is just another platform on which software can be installed so it is a 
software based solution (generally) 

► Substantially easier to 'attack' 



Comparison 


► 




Positives 

► Physically connected 

► Substantially more functionality (in general) 

► Typically high-performance 
Negatives 

► Requires platform specific drivers 

► Does not work in a virtualised environment 

► Often has limited (or no) on-board storage 

► Generally more expensive 
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ompanson 



etwork attached 



utives 



► Able to be located 'anywhere' 

► Substantially more functionality 

► Typically high-performance 

► If vendor uses standard protocol does not require platform specific 
drivers or can be supported on any platform the vendor chooses to 
'port' their client-side software to 

E.g. OASIS Key Management Interoperability Protocol (KMIP) 

► Blinking lights 

igatives 

► Substantially more expensive 

► Not feasible as an end-user device 





Local Deployment Examples 



nsumer Security Tokens 
_„siness Security Tokens 
ueensland Government Smartcard Licence 



Local Deployment Examples 



nks - Nationally 

known challenge response tokens 
3,000+ LCD-based security tokens 
;00,000+ SMS-based authentication 

ueensland Government 

,000+ LCD-based security tokens (estimate) 

,000+ smartcards (estimate) 
_.,000+ ISO/IEC 24727 smartcards 
► Will go to approximately 3.5 million over the next five years 



Next Steps 



io you nave to ao to get some security 

le strategy some folks seem to use: 
'ick a vendor at random 



'ick a device from the vendor at random 
itegrate device into your environment 

a) Pick pre-integrated products 

b) Pay the vendor to integrate 

c) Pay a consultant to integrate 

d) Integrate yourself 



Next Steps 

integrating yourself 

u've got the token/smartcard/device 

)w do you get the yes/no answer 

here do you integrate 

ow do you determine if you've "got some 
security" 




Authentication Standards 



nallenge Response Authentication Protocol (CHARMS- 
CHAP) 

issword Authentication Protocol (PAP) 

tensible Authentication Protocol (EAP) 

ITP Basic Access Authentication / Digest Authentication 

"srberos 

curity Assertion Markup Language (SAML) 

nple Authentication and Security Layer (SASL) 



cure Sockets Layer (SSL) /Transport Layer Security (TLS) 
f eb Services Security (WSS) 
\DIUS, LDAP, KMIP, etc 







Application Program Interfaces 



xCS#l I Cryptographic Token Interface (Cryptoki) 
icrosoft CryptoAPI (CAPI) 

mJava(JCE,JKS,JSSE) 

eneric Security Services API (GSS-API) 

pen Source (OpenSSL, Cryptlib, Crypto++, NSS) 

:/sc 

»/IEC78l6(APDUs) 
: 24727 
^ndor specific proprietary APIs 



Authentication Standards 



:p://www.openauthentication.org/ 

► Initially primarily backed by Verisign 

► Many vendors now provide physical tokens 

► Does not specify a full system 



Strongfy Authenticating Everyone. Everything, and Everywhere 



K^Heeth 



All networks ) AutfienticaKan [ jm devices 



oithentication Standards 



nge Response Authentication Protocol (CHAP) 
CI 334, RFC 1 994 

Widely used in dial-up services 

'tensible Authentication Protocol (EAP) 
.IFC3748 

► Widely used to negotiate authentication protocol between dial-up 
client and server or client-server authentication 

^neric Security Services API (GSS-API) 
IFC 1 508 

► Generic security services specification.Typically further defined in 
other protocols built on top of this generic framework. 



Authentication Standards 
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entication 



C26I6 



► Username + password. Typically used in combination with SSL/TLS 
(aka HTTPS) 

rberos 
CI5I0 






► Network authentication protocol. Used in Microsoft Windows 2000 
and above. 

icrosoft Challenge Handshake Authentication Protocol 
MS-CHAP v I -RFC2433 
MS-CHAP v2 - RFC2759 

► CHAP dialects as Microsoft extensions. Used for remote workstation 
support. 



authentication Standards 



issword Authentication Protocol (PAP) 

n ""CI 334, RFC 1 994 

Older PPP/SLIP protocol with passwords in clear text. 

curity Assertion Markup Language (SAML) 
DASIS-SAML 

► Defines XML based security assertions and profiles for exchanging 
messages and transport bindings. 

iple Authentication and Security Layer (SASL) 
FC2222 

► Method for adding authentication to communication protocols 









Authentication Standards 



'KEY 

C 1 760, RFC2289 

► One time password system based on hashing. 

cure Sockets Layer (SSL) / 
ransport Layer Security (TLS) 
C2246 



► Security protocol supported in web browsers and web services with 
support for public key infrastructure and one party or mutual 
authentication. 

feb Services Security (WSS) 
DASIS-WSS 

► Enhancements to base SOAP messaging to support security via 
message integrity, confidentiality, and authentication. Supports tokens. 



pplication Programming Interfaces 

PKCS#I I Cryptographic Token Interface (Cryptoki) 
""'CS^ I extensions for OTP defined 
icrosoft CryptoAPI (CAPI) 

yptoAPI extensions for OTP defined 






liability of standard interfaces from multiple vendors 
remains a problem in some areas with interoperability. As 
with any technology, actual testing of vendor devices is 
required. 



Application Programming Interfaces 



iartcara Level interlaces 

VIEC78I6 
1V, GSM, PC/SC, OCF 

► Open Platform 

► Common Access Card 

'DU command sets documented by vendors 

DU command sets and data format standardised in various 
contexts 

O/IEC 1 80 1 3 - Electronic Driving License 
jely available implementations 
>mmercial implementations 

T Personal Identity Verification (PIV) + FIPS20I 



pplication Programming Interfaces 

: 24727 

imework for a large range of possible realisations 
n be simply a middleware interface (no defined API) 
ily one deployment of ICC resident stack so far 

ISO/IEC 24727 Part 2 

"This part of ISO/IEC 24727 maximizes the fungibility of 
independent realizations of its prescriptions." 

ISO/IEC 24727 Part 5 
5656 pages 




security Objectives 




ocument the threat posed by the attacker 
hat do they want 

hat can they get if they defeat the 'security' 
hat is the worth to the attacker 
hat is it worth to the issuing organisation 

isure that the security mechanisms are targeted 

you cannot elaborate the threat then you 
have no means to determine if you've 
successfully defended against that threat 

isure that the security mechanisms overlap 






Security Objectives 
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>vide proof of authenticity 

► Prevent cloning 

► Prevent impersonation 

Provide a range of mechanisms that those performing the 
checks can use 

► Requires knowledge of the security mechanisms 

► Anything not known cannot be used in a front-line fraud check 
>vide layered mechanisms 
>vide detection 



security Approaches 



squire physical presence at a known location 
lecure the premises with 'traditional approaches' 

Suire physical action 
eclude software 'automating away' the security controls 
quire multiple participants 

Jse the participants checks on each other as a supplemental 
control 

Require subversion of multiple participants in order to 'defeat' 
the security of the system 









A concrete example 



•arate participant required for 'computer room' entry 

o participants required for 'ceremony room' entry 

Separate participant required to perform system login 

^parate participant required to perform application login 

ree out of five participants required to present physical 
security tokens 

.ectronic locks with audit records 

per sign in records 

stem activity audit records 

dependent HSM signed audit records 




A simple example 




The Door 

1. Combination dial (0-99) 

2. Keyed lock 

3. Seismic sensor (built-in) 

4. Locked steel grate 

5. Magnetic sensor 

6. External security camera 



The Vault 

7. Keypad for disarming sensors 

8. Light sensor 

9. Internal security camera 

10. Heat/motion sensor 
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Queensland Smartcard Licence 



.iginally Digital License Project (1999-2002) 
Renamed New Queensland Driver Licence (NQDL) 

^DL named and smartcard technology selected (2002-2003) 

)DL launched late 2003 for release in Oct 2006 
IP launched (April 2004) 

5 EOI (August 2006), PPP Binding Bid (April 2007) 

'Withdrawn (Late 2007) 
}DL RFOs (Late 2007 to Mid 2008) 
SLIP MoLI signed (November 2008) 
ficial staff trials (Aug 20 1 0) 
ficial launch (late 20 10) 

llout to TMR CSC (during 20 1 I ) 



Queensland Smartcard Licence 



'Approximately a quarter of Queensland businesses request 
the driver license of consumers or employees, to substantiate 
driving authority, identity, address and age." 

"Firstly, a Smartcard is significantly harder to duplicate, falsify 
or counterfeit than a laminate licence." 

"Secondly, Public Key Infrastructure (PKI) will also enable a 
Smartcard licence to 'self-authenticate', confirming it is a 
genuine licence and not a reproduction." 

"Thirdly, Smartcard licensing systems offer driver licensing 
authorities the potential to bind the holder more closely to 
their credential and prevent unauthorised use of the card.This 
mav involve ... a bersonal identification number (PIN) ..." 



Queensland Smartcard Licence 



<ey Security Features 

^'-tjtal photo and signature 

mputer chip that securely stores product and personal 
information 

tic Key Infrastructure (PKI) stored on the card's chip 

variety of overt and covert visual and technological security 
features, such as holograms and special inks 

sonal Identification Number (PIN) - a security feature to help 
prevent unauthorised use of your card and to allow you to transact 
with Transport and Main Roads in the future 

Shared secrets - answers to two questions from a list of security 
questions that will allow you to transact online with Transport and 




Queensland Smartcard Licence 



"-— -f Licence Interoperability Protocol (SLIP) 

he SLIP specifies data and technology platforms for Smartcard 
Jcences, and was prepared in contemplation that one or more 
Australian licensing authorities implement Smartcards in their 
jurisdictions. Adopting this standard will ensure national 
interoperability, deliver infrastructure savings and save time and 
money. It will also provide flexibility in government 
purchasing and avoid the pitfalls of vendor-specific 
proprietary standards that are not interoperable. National 
and state /territory Transport Ministers ratified SLIP at the Australian 
Transport Council in November 2008." 



Queensland Smartcard Licence 



ciromc service i 

/ 

le Australian Government Authentication Framework ... dictates 
that two-factor authentication is required for many medium and 
high risk transactions ..." 

"Smartcard licensing systems offer strong authentication, opening up 
the possibility for government services on-line.This is not limited to 
licensing and registration services ... but could include other services 
within and across governments." 

"Smartcard licences could also be used to validate identity in on-line 
commercial transactions." 

"Licence holders could potentially use their PIN to allow access to 
information on their licence when transaction with a merchant with 
f Smartrnrd render" 



CITIZEN 

JOHN ANDREW 
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Taxi/Limo/Genr/Sche/TrMc Y 111110 
Dangerous Goods Driver Y 11.12.10 
Driver and Rider Trainer 
Escort Vehicle Driver 
Tow Truck Driver 
Traffic Controller 




Queensland; Australia 



[Jw Queensland Government 





What about ISO/IEC 24727? 
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Lteroperability 



A common approach to ISO/IEC 24727 by SLIP and the NSF 
provides governments with an 'open architecture' that is non- 
proprietary and independent of particular vendors.This 
enables access to a global market with more suppliers, more 
competition and lower procurement costs." 

Smartcard Licence Interoperability Protocol (SLIP) SLIP overview 
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Source: http://www.austroads.com.au/ 
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Interoperability 



ijmber of implementations of ISO/IEC 24272 with ICC Resident 
ack and Department of Transport and Main Roads defined security 
protocols: 



imber of applications available to Queensland residents and 
businesses that can interface to the issued smart cards: 



1 



imber of major security companies or smartcard technology 
providers supporting ISO/IEC 24272 with ICC Resident Stack and 
Department of Transport and Main Roads defined security protocols: 



urvey 

ueensland Smartcard Licence 

1 x Have you experienced fraud with the Driver Licence 

► A) Never 

► B) Occasionally 

► C) Frequently 
, Will you use the new smartcard 

► A) Yes 

► B) Maybe 

► C) Never 
Have you heard of ISO/IEC 24727 

► A) No 

► B) Only from the department 

► Q Yes 



ueensian 



martcan 



icence 



Your plans for future Smartcard usage 

► A) Plan to migrate to ISO/IEC 24727 

► B) No interest in ISO/IEC 24727 

► C) No plans to ever use any smartcards 
Your view on Qld Government issued smartcards 

► A) Good idea 

► B) Bad idea 

► C) Undecided 
Do you feel informed about the new smartcards 

► A) Yes - I know everything I need to know 

► B) No - I want more information 
C) No -And I don't want to know 



Questions 



Any questions? 



Tim Hudson 
Cryptsoft Pty Ltd 
tjh@cryptsoft.com 
http://www.cryptsoft.com/ 



